openldap-technical

openldap-technical@openldap.org

9 participants
9942 discussions

Migrating HA Cluster, Want to Force Full Replication
by Brendan Kearney 19 Dec '25

19 Dec '25

List members, I plan on updating my 3 node multi-primary instances and want to have a full resync done when each instance is rebuilt and rejoined to the cluster. Currently, I have both config and DIT fully replicated between all instances. When I rebuild each node, it will have all of the configs in place to be a part of the cluster. What I would like to have is all the data pushed to the newly built, but empty, instance. I have a process that is somewhat brute force, where all data is exported, stripped of entryCSN and contextCSN values, then added back to the newly built instance. This would require that the other instances be stopped or otherwise not take any updates during the transition. I would like to avoid this disruption in service, if at all possible. Is there a way to have a full resync done when a rebuilt instance that has no data rejoins a cluster? Thanks in advance, Brendan Kearney

3 9

RE26 testing call (2.6.11) #1
by Quanah Gibson-Mount 17 Dec '25

17 Dec '25

This is the first testing call for OpenLDAP 2.6.11. Depending on the results, this may be the only testing call. Generally, get the code for RE26: <https://git.openldap.org/openldap/openldap/-/archive/OPENLDAP_REL_ENG_2_6/o…> Extract, configure, and build. Execute the test suite (via make test) after it is built. Optionally, cd tests && make its to run through the regression suite. Thanks! OpenLDAP 2.6.11 Engineering Fixed slapd to use fresh timestamp for lastbind (ITS#10379) Fixed slapd delta-syncrepl to always use logDB rootdn (ITS#10360) Fixed slapd reverse lookup of proxied IPv6 addresses (ITS#10387) Fixed slapd logging (ITS#10410) Fixed slapd-ldap response when invalid secprops is configured (ITS#10392) Fixed slapd-mdb error when deleting last child of a branch (ITS#10304) Fixed slapd-mdb check for pool pause in search (ITS#10191) Fixed slapo-memberof clash with refint on subtree rename (ITS#10398) Fixed slapo-syncprov use correct rootDN for accesslog replay (ITS#10385) Minor Cleanup ITS#7901 ITS#10329 ITS#10335 ITS#10339 ITS#10343 ITS#10344 ITS#10345 ITS#10347 ITS#10348 ITS#10349 ITS#10353 ITS#10358 ITS#10359 ITS#10366 ITS#10367 ITS#10369 ITS#10370 ITS#10371 ITS#10372 ITS#10374 ITS#10375 ITS#10376 ITS#10377 ITS#10379 ITS#10380 ITS#10381 ITS#10384 ITS#10388 ITS#10390 ITS#10391 ITS#10400 ITS#10401 ITS#10408

2 2

Syncrepl problem in Vagrant environment
by Stefan Kania 16 Dec '25

16 Dec '25

Hi to all, I have a strange problem. If I install the following LDIFs in an multi provider environment, build directly on vritualBox VMs, everyting is fine: --------Schema extension -------- dn: cn=stkaPosixExtension,cn=schema,cn=config objectClass: olcSchemaConfig cn: stkaPosixExtension olcObjectClasses: ( 1.3.6.1.4.1.56860.1.2.1 NAME 'stkaPosixGroup' DESC 'advanced PosixGroup for dynamic use' SUP top AUXILIARY MUST ( cn $ gidNumber ) MAY ( userPassword $ memberUid $ description ) ) olcObjectClasses: ( 1.3.6.1.4.1.56860.1.2.2 NAME 'stkaPosixAccount' DESC 'advanced PosixAccount for dynamic use' SUP posixAccount AUXILIARY MAY ( memberUID ) ) -------------------------------- ---- Overlay autogroup ------------ dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: autogroup.la dn: olcOverlay=autogroup,olcDatabase={2}mdb,cn=config changetype: add objectClass: olcAutoGroupConfig objectClass: olcOverlayConfig olcOverlay: autogroup olcAutoGroupAttrSet: groupOfURLs memberURL memberUID ----------------------------------- dn: cn=dynposix,ou=groups,dc=example,dc=net cn: dynposix objectClass: top objectClass: groupOfURLs objectClass: stkaPosixGroup gidNumber: 4242 memberURL: ldap:///dc=example,dc=net?memberUID?sub?(title=Linuxuser) --- dynamic group ------------- --- dynamic group user ------- dn: uid=dynuser,ou=users,dc=example,dc=net objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: stkaPosixAccount cn: John Doe sn: Dynamo title: Linuxuser uid: dynuser gidNumber: 1000 homeDirectory: /home/dynuser uidNumber: 12345 userPassword: {ARGON2}$argon2i$v=19$m=4096,t=3,p=1$ZHN2cnZ0... memberUid: dynuser ------------------------------ I can see the user, replication of cn0config is working, even if I add new changes. No I want to do a setup with vagrant and Debian13. As soon as I try to add the overlay (the schema extension is working fine) the OpenLDAP i crashing wit the following message: ------------------------------ Dec 16 11:16:49 ldap02 slapd[3344]: syncprov_db_open: starting syncprov for suffix cn=config Dec 16 11:16:49 ldap02 slapd[3344]: conn=-1 op=0 syncprov_findcsn: mode=FIND_MAXCSN csn= Dec 16 11:16:49 ldap02 systemd[1]: symas-openldap-server.service: Main process exited, code=killed, status=11/SEGV Dec 16 11:16:49 ldap02 systemd[1]: symas-openldap-server.service: Failed with result 'signal'. ------------------------------ I have never seen this message before. Any hint where I can search for the problem? Stefan

2 2

Replication issue with OpenLdap: slapd 2.6.8 || RHEL 9 (Red Hat Enterprise Linux release 9.7)
by mridumit＠amdocs.com 15 Dec '25

15 Dec '25

Hi I am not able to replicate or facing replication issue within 2 instances where ldap is running. The error I see in logs of slapd is : slap_client_connect: URI=<provider url> DN="cn=<sample value>,dc=<sample value>,dc=<sample value>" ldap_sasl_bind_s failed (-1). Can anybody help us ? I can provide more information if required.

1 0

Timeouts with ldap_search_ext_s and other APIS
by venugopal chinnakotla 11 Dec '25

11 Dec '25

Hi Team, We are working on migration of nsldap C sdk to OpenLDAP C sdk for our application client code. We are using OpenLDAP 2.6.7. As part of this migration, we are facing one issue related to timeouts, that we set LDAP Handle using ldap_set_option and calling an API ldap_search_ext_s. With Mozilla NSLDAP, setting PRLDAP_OPT_IO_MAX_TIMEOUT value to zero in LDAP Handle and making ldap_search_ext_s function call. Also passing timeout value (for Ex: 30 seconds) explicitly as one on the argument. This search call is giving an error: "Timeout error." With OpenLDAP, setting LDAP_OPT_TIMEOUT value to zero in LDAP Handle and making ldap_search_ext_s function call. Also passing timeout value (Same value: 30 seconds) explicitly as one of the arguments. This search call is giving a successful result instead of Timeout error. *Note:* With OpenLDAP, setting LDAP_OPT_TIMEOUT value to zero in LDAP Handle (0 sec, 1 microseconds) and making ldap_search_ext_s function call. Also passing timeout value 30 seconds explicitly as one of the arguments. This search call is giving a successful result instead of Timeout error. *Even tried this: *With OpenLDAP, setting LDAP_OPT_NETWORK_TIMEOUT value to zero in LDAP Handle (0 sec, 1 microseconds) and making ldap_search_ext_s function call. Also passing timeout value 30 seconds explicitly as one of the arguments. This search call is giving a successful result instead of Timeout error. --Here, I think LDAP_OPT_NETWORK_TIMEOUT is applicable only for connection calls. As per our application expected behaviour, with OpenLDAP, search call should give a timeout error, but it is giving a successful result. 1. What is the difference between the implementation of nsldap and OpenLDAP for timeouts? 2. If we want to get a Timeout error in the above use case (setting LDAP_OPT_TIMEOUT to zero) , what should we change with usage of OpenLDAP timeouts and APIs? 3. Also provide me some details on how timeouts are applied for each operation like connect/bind/search calls? 4. Which timeout will take the precedence/consideration when we have different timeouts, one is in LDAP Handle LDAP_OPT_TIMEOUT and another timeout value that we pass explicitly to ldap_searh_ext_s API? a. What happens when we have LDAP_OPT_TIMEOUT (ldo_tm_api in LDAP Handle) has less value than the timeout value specified in ldap_search_ext_s API argument explicitly? b. What happens when we have LDAP_OPT_TIMEOUT (ldo_tm_api in LDAP Handle) has greater value than the timeout value specified in ldap_search_ext_s API argument explicitly? 5. How do these timeouts apply to other API calls ldap_smple_bind_s? 6. Also, can you provide an equivalent timeout in OpenLDAP for Mozilla NSLDAP timeouts? LDAP_X_OPT_CONNECT_TIMEOUT - ( We mapped LDAP_OPT_NETWORK_TIMEOUT in OpenLDA) PRLDAP_OPT_IO_MAX_TIMEOUT - (We mapped LDAP_OPT_TIMEOUT in OpenLDAP) -- Thanks, *c.venugopal*

2 2

Removing AutoCA overlay, objectClass, etc
by Brendan Kearney 06 Nov '25

06 Nov '25

list members, i have a multi-provider footprint that i want to remove the AutoCA functionality from. when i loaded the overlay, i set it to disabled, per the below: dn: olcOverlay={5}autoca objectClass: olcOverlayConfig objectClass: olcAutoCAConfig objectClass: top olcOverlay: {5}autoca structuralObjectClass: olcAutoCAConfig entryUUID: 739501f2-49ad-103e-911a-3dc9b40470bf creatorsName: uid=brendan,ou=domainusers,ou=users,dc=bpk2,dc=com createTimestamp: 20240117175614Z olcAutoCADays: 3650 olcAutoCAKeybits: 2048 olcDisabled: TRUE olcAutoCAserverKeybits: 2048 olcAutoCAuserClass: inetOrgPerson olcAutoCAserverClass: device olcAutoCAserverDays: 1826 olcAutoCAuserDays: 365 olcAutoCAuserKeybits: 2048 entryCSN: 20240117192443.210024Z#000000#001#000000 modifiersName: uid=brendan,ou=domainusers,ou=users,dc=bpk2,dc=com modifyTimestamp: 20240117192443Z note, olcDisabled is set to true. it seems that something went awry and even though i didn't want the capability active, i wound up with some caCertificate and caPrivateKey objects created in the DIT. it looks like i may have added the overlay in an active state and disabled it after the caCertificate/PrivateKey objects were created. i want to clean up things and remove the AutoCA pieces until i can test them better. what process is needed to remove the objects and overlay, as replication may play a part in some of the effort? i could imagine that deleting the caCertificate and caPrivateKey objects would be relatively straight forward, but the overlay may prove a bit more complicated. i found a message on this list from some time ago, https://www.openldap.com/lists/openldap-technical/201811/msg00075.html, that says i can stop the slapd instance, remove the overlay ldif files and restart the instance, to accomplish this task. the issue that i am trying to avoid is having to take down the entire fully replicated DIT, in order to delete the overlay and not have replication recreate it because one active node "didn't get the memo". are there any insights into how i can delete overlays without having replication recreate the objects i want to remove, all while still providing at least one instance to service requests? if it clarifies things, i am running 3 slapd instances behind a load balancer and both the config DB and DIT are replicated between all nodes. if it comes to it, i could take down all instances to perform this work, but i would like to avoid it if possible. thanks in advance, brendan kearney

3 9

Use lmdb for lookup of dentries?
by stefbon＠gmail.com 03 Nov '25

03 Nov '25

Hi, I'm writing FUSE fs's, and need a method for doing lookups for of dentries and inodes. To start with dentries, a FUSE lookup uses the parent inode ino (an uint64_t) and the name. Now I've expirmented a lttle creating a key like: - first 8 bytes used by parent inode ino, left padded with zeros. - rest the name of the entry like 00000001dexample which is the directory dexample in directory with ino 1. (to make this work custom locking is required) It works, but is it a good idea to do? Or are there other methods better? S.Bon

3 5

Question about OpenLDAP modules
by Dino Edwards 30 Oct '25

30 Oct '25

Hello, Hoping someone can help me with this issue I'm having. I'm building OpenLDAP from source using the following command: ./configure --prefix=/usr/local \ --with-tls \ --with-cyrus-sasl \ --enable-overlays \ --enable-modules \ --enable-argon2 \ --enable-remoteauth && \ make depend && make -j$(nproc) && make install && \ ldconfig It looks like it builds correctly, however I'm not seeing the remoteauth.la or remoteauth.so module under /usr/local/libexec/openldap directory. I'm only seeing the argon2.so and argon2.la. When I bootstrap the server with the following it doesn't throw any errors: modulepath /usr/local/libexec/openldap moduleload back_mdb.la moduleload argon2.la moduleload remoteauth.la The weird thing is that when I run this command it shows the installed modules with remoteauth being one of them: ldapsearch -Y EXTERNAL -H "$LDAPI_URI" -b "cn=module{0},cn=config" olcModuleLoad SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 # extended LDIF # # LDAPv3 # base <cn=module{0},cn=config> with scope subtree # filter: (objectclass=*) # requesting: olcModuleLoad # # module{0}, config dn: cn=module{0},cn=config olcModuleLoad: {0}back_mdb.la olcModuleLoad: {1}argon2.la olcModuleLoad: {2}remoteauth.la # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 So, I'm not sure how it's loading remoteauth.la since it's not present under the /usr/local/libexec/openldap directory. As a matter of fact, it doesn't seem to be anywhere on the file system. I tried authenticating a user using remoteauth to a remote AD directory and it didn't seem to work. In all fairness, I'm not sure if I was doing it correctly. Thanks in advance

2 5

admin can bind, normal user cannot, err=49
by hamzaahmed12328＠gmail.com 29 Oct '25

29 Oct '25

OS: Debian 13 Running in an LXC on Proxmox VE 9.0.10 OpenLDAP Ver: @(#) $OpenLDAP: slapd 2.6.10+dfsg-1 (May 29 2025 23:41:48) $ Debian OpenLDAP Maintainers <pkg-openldap-devel(a)lists.alioth.debian.org> Current mdb ACL (Playing around with ACLS to get this to work) # {1}mdb, config dn: olcDatabase={1}mdb,cn=config olcAccess: {0}to * by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=externa l,cn=auth" manage olcAccess: {1}to * by dn.exact="cn=admin,dc=ahmza,dc=com" manage olcAccess: {2}to attrs=userPassword by anonymous auth by self auth olcAccess: {3}to * by * none Oct 25 02:30:35 ldap slapd[460]: >>> slap_listener(ldaps:///) Oct 25 02:30:35 ldap slapd[460]: conn=1011 fd=15 ACCEPT from IP=10.10.100.12:19604 (IP=0.0.0.0:636) Oct 25 02:30:35 ldap slapd[460]: connection_get(15): got connid=1011 Oct 25 02:30:35 ldap slapd[460]: connection_read(15): checking for input on id=1011 Oct 25 02:30:35 ldap slapd[460]: connection_get(15): got connid=1011 Oct 25 02:30:35 ldap slapd[460]: connection_read(15): checking for input on id=1011 Oct 25 02:30:35 ldap slapd[460]: connection_read(15): unable to get TLS client DN, error=49 id=1011 Oct 25 02:30:35 ldap slapd[460]: conn=1011 fd=15 TLS established tls_ssf=256 ssf=256 tls_proto=TLSv1.3 tls_cipher=TLS_AES_256_GCM_SHA384 Oct 25 02:30:35 ldap slapd[460]: connection_get(15): got connid=1011 Oct 25 02:30:35 ldap slapd[460]: connection_read(15): checking for input on id=1011 Oct 25 02:30:35 ldap slapd[460]: op tag 0x60, time 1761359435 Oct 25 02:30:35 ldap slapd[460]: conn=1011 op=0 do_bind Oct 25 02:30:35 ldap slapd[460]: >>> dnPrettyNormal: <uid=jellyfin,ou=service-accounts,dc=ahmza,dc=com> Oct 25 02:30:35 ldap slapd[460]: <<< dnPrettyNormal: <uid=jellyfin,ou=service-accounts,dc=ahmza,dc=com>, <uid=jellyfin,ou=service-accounts,dc=ahmza,dc=com> Oct 25 02:30:35 ldap slapd[460]: conn=1011 op=0 BIND dn="uid=jellyfin,ou=service-accounts,dc=ahmza,dc=com" method=128 Oct 25 02:30:35 ldap slapd[460]: do_bind: version=3 dn="uid=jellyfin,ou=service-accounts,dc=ahmza,dc=com" method=128 Oct 25 02:30:35 ldap slapd[460]: mdb_dn2entry("uid=jellyfin,ou=service-accounts,dc=ahmza,dc=com") Oct 25 02:30:35 ldap slapd[460]: => mdb_dn2id("uid=jellyfin,ou=service-accounts,dc=ahmza,dc=com") Oct 25 02:30:35 ldap slapd[460]: <= mdb_dn2id: got id=0xa Oct 25 02:30:35 ldap slapd[460]: => mdb_entry_decode: Oct 25 02:30:35 ldap slapd[460]: <= mdb_entry_decode Oct 25 02:30:35 ldap slapd[460]: => access_allowed: result not in cache (userPassword) Oct 25 02:30:35 ldap slapd[460]: => access_allowed: auth access to "uid=jellyfin,ou=service-accounts,dc=ahmza,dc=com" "userPassword" requested Oct 25 02:30:35 ldap slapd[460]: => acl_get: [1] attr userPassword Oct 25 02:30:35 ldap slapd[460]: => acl_mask: access to entry "uid=jellyfin,ou=service-accounts,dc=ahmza,dc=com", attr "userPassword" requested Oct 25 02:30:35 ldap slapd[460]: => acl_mask: to value by "", (=0) Oct 25 02:30:35 ldap slapd[460]: <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth Oct 25 02:30:35 ldap slapd[460]: <= acl_mask: no more <who> clauses, returning =0 (stop) Oct 25 02:30:35 ldap slapd[460]: => slap_access_allowed: auth access denied by =0 Oct 25 02:30:35 ldap slapd[460]: => access_allowed: no more rules Oct 25 02:30:35 ldap slapd[460]: send_ldap_result: conn=1011 op=0 p=3 Oct 25 02:30:35 ldap slapd[460]: send_ldap_response: msgid=1 tag=97 err=49 Oct 25 02:30:35 ldap slapd[460]: conn=1011 op=0 RESULT tag=97 err=49 qtime=0.000029 etime=0.000148 text= Oct 25 02:30:35 ldap slapd[460]: connection_get(15): got connid=1011 Oct 25 02:30:35 ldap slapd[460]: connection_read(15): checking for input on id=1011 Oct 25 02:30:35 ldap slapd[460]: op tag 0x42, time 1761359435 Oct 25 02:30:35 ldap slapd[460]: ber_get_next on fd 15 failed errno=0 (Success) Oct 25 02:30:35 ldap slapd[460]: conn=1011 op=1 do_unbind Oct 25 02:30:35 ldap slapd[460]: conn=1011 op=1 UNBIND Oct 25 02:30:35 ldap slapd[460]: connection_close: conn=1011 sd=15 Oct 25 02:30:35 ldap slapd[460]: conn=1011 fd=15 closed Im happy to share my config too but this is already getting long

2 2

ldap search is failing with error "Bad search filter (-7)" for complex search filter having spaces in OpenLDAP 2.6.7
by venugopal chinnakotla 24 Oct '25

24 Oct '25

Hi Team, We are working on migration of nsldap C sdk to OpenLDAP C sdk for our application client code. We are using OpenLDAP 2.6.7. As part of this migration, we are facing one issue with a search filter that we are using to get content from LDAP servers. search filter: (| (uid=user1) (| (mail=user1(a)test.com) (! (mail= user100(a)test.com) ) ) ) We are using this search filter for user lookup from LDAP servers in our application for one of our cases. We are using OpenLDAP C API: ldap_search_ext_s (and/or ldap_search_ext) in our application. When we make a search call from our application to LDAP server using the above search filter, we are getting "Bad search filter (-7)" error instead of the users list. Due to this, our migration is blocked. Tried using the same search filter with *ldapsearch *utility provided by OpenLDAP, but getting the same error message. Below is the snippet of error with search filter. *>ldapsearch.exe -H ldap://ldapserver1.com:389 <http://ldapserver1.com:389> -D "cn=admin,o=test.com <http://test.com>" -b o=test.com <http://test.com> "(| (uid=user1) (| (mail=user1(a)test.com <user1(a)test.com>) (! (mail=user100(a)test.com <user100(a)test.com>) ) ) )"# extended LDIF## LDAPv3# base <o=test.com <http://test.com>> with scope subtree# filter: (| (uid=user1) (| (mail=user1(a)test.com <user1(a)test.com>) (! (mail=user2(a)test.com <user2(a)test.com>) ) ) )# requesting: ALL#ldap_search_ext: Bad search filter (-7)* But the same search filter is working fine with our existing nsldap provider. We are able to get the users list from the LDAP server using the same search filter without any changes. To maintain backward compatibility in our application, we should be able to get the content from the LDAP server using the same search filter. Could you please look into this problem and provide a solution for this? -- Thanks, *c.venugopal*

7 8

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical